From 07ab64f29cdda3a6d6ce70a0175b772cdfcc3547 Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Thu, 23 May 2024 15:16:41 +0100 Subject: [PATCH 1/4] docker: Use pip packages instead of debian for cryptography and pyelftools Some projects that depend on python cryptography and pyelftools packages fail to build even when debian packages are installed. However, the same works just fine with pip packages for the same. Hence, lets move those couple of debian packages to pip packages instead. Signed-off-by: Sudeep Holla --- docker/Dockerfile.slim | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.slim b/docker/Dockerfile.slim index bf3beb9..3ede369 100644 --- a/docker/Dockerfile.slim +++ b/docker/Dockerfile.slim @@ -109,9 +109,7 @@ RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProb mtools \ netcat-openbsd \ ninja-build \ - python3-cryptography \ python3-pip \ - python3-pyelftools \ python3-serial \ python-is-python3 \ rsync \ @@ -122,6 +120,10 @@ RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProb xterm \ xz-utils \ zlib1g-dev +RUN pip3 install \ + cryptography \ + pyelftools + # Install packages requried by EDK2. # From https://developer.arm.com/documentation/102571/0100/Build-firmware-on-a-Linux-host. -- GitLab From 8adaa2d0ac5f7e67603984143c5da0cf9d74f98c Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Sun, 12 Mar 2023 21:21:13 +0000 Subject: [PATCH 2/4] config: Add base configuration OPTEE OS partition This config adds support to build OPTEE OS. Currently only 64-bit mode is added as it is the one widely used and also to avoid dependency on 32-bit compilers. Signed-off-by: Sudeep Holla --- config/optee-base.yaml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 config/optee-base.yaml diff --git a/config/optee-base.yaml b/config/optee-base.yaml new file mode 100644 index 0000000..e01d97c --- /dev/null +++ b/config/optee-base.yaml @@ -0,0 +1,37 @@ +# Copyright (c) 2024, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + This provides the baseline for OPTEE 64-bit build. + +build: + optee: + repo: + remote: https://github.com/OP-TEE/optee_os.git + revision: 4.2.0 + + toolchain: aarch64-linux-gnu- + + params: + CFG_ARM_GICV3: y + CFG_ARM64_core: y + CFG_CALLOUT: y + CFG_CORE_HEAP_SIZE: 131072 + CFG_DEBUG_INFO: y + CFG_NOTIF_TEST_WD: y + CFG_TEE_CORE_LOG_LEVEL: 2 + CFG_USER_TA_TARGETS: ta_arm64 + CROSS_COMPILE: aarch64-linux-gnu- + CROSS_COMPILE_core: aarch64-linux-gnu- + CROSS_COMPILE_ta_arm64: aarch64-linux-gnu- + DEBUG: 0 + PLATFORM: vexpress-fvp + build: + - make O=${param:builddir} ${param:join_equal} all + + artifacts: + OPTEE_HDR_BIN: ${param:builddir}/core/tee-header_v2.bin + OPTEE_PAGER_BIN: ${param:builddir}/core/tee-pager_v2.bin + OPTEE_PAGEABLE_BIN: ${param:builddir}/core/tee-pageable_v2.bin -- GitLab From 961dc11d100f3300bccbdf27a7d4957a7e6179bb Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Tue, 4 Jun 2024 19:31:10 +0100 Subject: [PATCH 3/4] config: Add support to run optee in SEL1 with no FF-A or SEL2/Hafnium This is base configuration to run OPTEE in the secure world. It doesn't include any FF-A or S-EL2/Hafnium. This is useful to compare it with other configurations that include FF-A and/or Hafnium in S-EL2. Signed-off-by: Sudeep Holla --- config/ns-edk2-optee.yaml | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 config/ns-edk2-optee.yaml diff --git a/config/ns-edk2-optee.yaml b/config/ns-edk2-optee.yaml new file mode 100644 index 0000000..73bdc55 --- /dev/null +++ b/config/ns-edk2-optee.yaml @@ -0,0 +1,41 @@ +# Copyright (c) 2023, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + Brings together a software stack to demonstrate OPTEE in secure EL1 + with TF-A in secure EL3 but without FF-A and secure EL2(Hafnium). + Secure partition dispatcher exists inside OPTEE. + +concrete: true + +layers: + - ns-edk2.yaml + - optee-base.yaml + +build: + tfa: + params: + BL32: ${artifact:OPTEE_HDR_BIN} + BL32_EXTRA1: ${artifact:OPTEE_PAGER_BIN} + BL32_EXTRA2: ${artifact:OPTEE_PAGEABLE_BIN} + SPD: opteed + ARM_TSP_RAM_LOCATION: tdram + dt: + build: + # When using the default fvp-base-revc.dts, an overlay is added which + # adds extra properties that OPTEE requires to enable OPTEE driver + # in the kernel. + - if [ "$${DTS}" = "fvp-base-revc.dts" ]; then + - >- + OVERLAY="/ { + firmware { + optee { + compatible = \"linaro,optee-tz\"; + method = \"smc\"; + }; + }; + };" + - ( dtc -q -O dts -I dtb $${DTB_FINAL} ; echo -e "$${OVERLAY}" ) | dtc -q -O dtb -o $${DTB_FINAL} + - fi -- GitLab From cb0bbe058081fe694925390b1b39f452990d6c91 Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Fri, 21 Jun 2024 11:16:51 +0100 Subject: [PATCH 4/4] test: Include basic OPTEE without FF-A into test vector A configuration with OPTEE in secure EL1 with TF-A in secure EL3 without FF-A and secure EL2/Hafnium is being adding. Let us add the same into the test vector for build and boot test coverage. There is no ACPI binding for this non-FFA configuration of running OPTEE and hence no ACPI coverage needed for it. Signed-off-by: Sudeep Holla --- test/test.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/test.py b/test/test.py index edf93e6..6bf64c9 100755 --- a/test/test.py +++ b/test/test.py @@ -49,6 +49,14 @@ CONFIGS = [ }, 'arch': {'start': 'v8.0', 'end': ARCH_LATEST}, }, + { + 'config': 'ns-edk2-optee.yaml', + 'btvars': {}, + 'rtvars': { + 'default': {'KERNEL': KERNEL, 'ROOTFS': ROOTFS}, + }, + 'arch': {'start': 'v8.0', 'end': ARCH_LATEST}, + }, { 'config': 'ffa-tftf.yaml', 'btvars': {}, -- GitLab